July 01, 2011

Indian Government to Clarify Data Privacy Rules Affecting Outsourcing

In a post on this blog five weeks ago, and in a quote in The Washington Post, we noted that Indian legal outsourcing companies have nothing to fear from India's new data privacy rules, which went into effect last April. The new rules, in the country's Information Technology Act, are surprisingly tougher than data protection laws in the West. For example, they ostensibly require Indian companies to obtain written consent from any individual or company before obtaining sensitive, "personal" data from that individual or company. Regarding legal process outsourcing companies, we noted as follows:

Most LPO service level agreements are already in the form of written contracts that either already are in compliance, or can be amended if necessary. Moreover, one of the keys to understanding the impact of the "written consent" requirement is the fact that it covers only "personal" information [such as credit card numbers, Social Security numbers, etc.], which is not the kind of data that most offshore legal outsourcing companies generally receive.

We also commented that one of the effects of the new rules "may be to help put to rest one of the old 'bug-a-boos' so often raised by naysayers, namely, the story that India, relative to the West, has no legal protection for data security."

Now, the Indian government reportedly has assured outsourcing industry leaders that "the collection of personal data abroad by Indian companies will not come under the new rules, because Indian companies will be collecting this data on behalf of the customer who is abroad and governed by laws in his country." This is a quote from Kamlesh Bajaj, CEO of the Data Security Council of India, which was set up by the National Association of Software and Service Companies (Nasscom), India's IT trade association. Bajaj says the government "soon" will be issuing a clarification to that effect.

If this is true, then the "written consent" problem may be disappearing, even for call centers, IT companies, and other BPO (business process outsourcing) firms. But Bajaj notes that "Indian companies that handle data will however continue to be governed under those parts of the rules that require them to follow stringent security procedures as processors of data."

PC World reports that at least one expert on the subject is skeptical about whether BPOs no longer need to worry about obtaining written consent:

The current rules, which came into force in April, do not make a distinction between Indian outsourcers and their customers abroad, and it would appear that customers abroad will also have to follow the stipulated procedures for the collection of personal data, including seeking written approval from the individuals from whom they collect the data, said Pavan Duggal, a cyber law consultant and advocate in India's Supreme Court.

Our own take on this has been that "those [individuals] usually have binding agreements with the banks, hospitals, credit card companies or other clients that use the call centers, and the clients usually have written agreements with the call centers," so that "[t]he required consents can be in the agreements."

Either way, again, none of this should affect offshore legal outsourcing, which generally does not involve the collection of "personal" information as defined in the rules.

Comments

You can follow this conversation by subscribing to the comment feed for this post.